A Cisco Integrated Services Router Technology Primer
Table of Contents
1.0 Executive Summary
Today's business realities are changing the communications landscape, accelerating convergence and integration. For example, the ubiquitous cell phone is no longer just a phone. It has now morphed into an integrated MP3 player, a camera, a camcorder, web browser, text messaging, e-mail, walkie-talkie, a storage media, an authentication device-the capabilities are endless. Likewise, a computer is no longer just a fast computing machine, but a true multimedia endpoint capable of serving as a DVD player/recorder, a VoIP phone, an audio player, a game machine, and even a TV, as well as a work system. Wherever one looks, the trend is obvious-integrated services and applications are being delivered in a smaller form factor, resulting in enhanced productivity and efficiency to the end user.
Over the past few years, Cisco® has assumed industry leadership in applying this innovative concept to a domain that is considered mission-critical-the branch router. The result is the highly successful Cisco Integrated Services Router (ISR) with over 2 million sold in a little more than two years. This white paper discusses the concept of Integrated Services as they apply to the branch router and how they help to create the empowered branch for small-to-medium business, large enterprises, and service providers offering managed services.
2.0 The Empowered Branch
Yesterday's buzzwords are becoming today's business realities, changing the way networks are designed and run. The communications landscape is rapidly evolving as IP convergence takes hold and accelerates the use of unified applications. Enterprises, small and medium-sized businesses (SMBs), and service providers recognize this trend and are adapting themselves as Quality of Experience (QoE) becomes paramount.
Figure 1. Business Imperatives and Network Realities Accelerating Branch Infrastructure Upgrades
The emergence of the corporate branch as a major center of business activity has presented both challenges and opportunities to IT organizations. Today, more than 70 percent of company resources are located in branch offices1, and over one-third of all employees work in remote sites.2 Decision making is becoming localized as branches evolve into "mini-HQs". To be productive in this model, the branch employees demand consistent application and end-user experience, independent of geography and the size of the organization. They also require service coherency and consistency on par with the headquarters. A reliable network infrastructure is vital to deliver on these objectives.
As a result, branches face two challenges today-(i) to embrace technology and deliver collaborative applications and (ii) to achieve the first objective, while focusing on the cost aspects, i.e., Return on Investment (RoI) and Total Costs of Ownership (TCO). The "empowered branch" concept is a Cisco initiative that describes how organizations can achieve both these goals by adopting integrated services into the network. By doing so, Cisco customers amplify the business potential of their organization and facilitate secure collaborative applications optimized for "quad play"-i.e., unified voice, video, data, and mobility applications.
3.0 Concept of Integrated Services in a Branch Router
Consider the requirements of a typical branch. The CPE infrastructure in general (and the CPE router in particular) plays an important role in enabling this change and in truly empowering the branch to become more productive and business-efficient. A recent Yankee branch survey indicated that more than 60% of the respondents prefer router-integrated services and listed the features that they would like most to be integrated into their routing platforms:
Figure 2. Preferred Router-Integrated Services and Their Primary Benefits
The reason for such a preference is simple. Services convergence helps companies to protect, optimize and grow their business. In fact, the survey respondents cited manageability as the biggest incentive, along with ease of support, better performance, lower operational costs, and the other factors shown in Figure 2.
These results are in line with the feedback Cisco has received from its own customers and that has been incorporated into its product design. Based on the considerations outlined previously, and Cisco's own experience, we can infer the requirements for at least the following customer capabilities, irrespective of whether they are offered as an integrated service or as discrete capabilities:
• Routing
• Switching
• Secure Connectivity-Flexible VPNs
• High-Touch Security Services-Stateful Firewalls, Intrusion Detection/Prevention Services (IDS/IPS), anti-spoofing, Distributed Denial of Service (DDoS) attack mitigation, virus protection, Network Address Translation (NAT), Network Admission Control (NAC), URL filtering, etc
• Collaborative applications-IP telephony, voice-video integration, video conferencing
• Bandwidth and Application optimization-Quality of Service (QoS), Bandwidth, and WAN optimization
• Mobility-Wireless applications
3.1 Approaches to Deliver Integrated Services at the Customer Premises
Now, let's examine the various options available to deliver some of these services to the customer. In the process, we shall also trace their evolution and examine their relevance to today's network requirements.
Consider the highly simplified scenario of a typical branch office connected to its headquarters through a "WAN cloud." For purposes of simplicity, we need not concern ourselves with WAN protocols or even the means of connectivity. We can also combine the requirement for virtual private networks (VPNs) with that of high-touch security services under a generic "security services" category. Using this method, we can classify the different approaches into three distinct areas.
Figure 3. Illustrating the Various Integrated Service Approaches at the CPE
3.1.1 The Overlay Model
In typical "overlay" network architectures, services such as firewalls, intrusion detection and prevention, virtual private networks, voice capability, and network monitoring, are provided by a separate appliance. A single enterprise branch network, therefore, may utilize some six or seven separate devices for fulfilling functions such as routing, switching, ensuring security, etc. This is because, historically, a majority of budget constrained enterprise IT organizations have functioned in a reactive mode, focusing on ensuring basic connectivity as more branches and remote sites are added. Many legacy networks existing today were built together in an overlay "string model," where devices were added to the CPE infrastructure based either on incremental budget allocation or in response to certain "incidents." For instance, a DDoS attack could prompt the addition of a stateful firewall and perhaps an intrusion detection and/or prevention appliance, while a virus outbreak could trigger the addition of an anti-virus application. Similarly, regulatory requirements could lead to the introduction of encryption, resulting in a heterogeneous, multi-vendor chain of overlay point products that suffer from poor integration.
While this model has the benefits of low capital costs to start with, it suffers from severe scalability and integration issues as the network evolves. With training, warranty, software loads, management, and support needs different for each multi-vendor product, the overlay model does not scale to keep pace with network growth.
3.1.2 Loosely Coupled Integration Model
This model advocates an "in-between" approach and is usually promoted by equipment vendors who are delivering first-generation products or are trying to retrofit additional services onto a base functionality. An architecture optimized for delivery of security services could be retrofitted to add routing capabilities, or even collaborative applications, but such integration would result in sub-standard performance for the non-core features.
This model is usually delivered by vendors of point products who have the necessary depth in one or two core areas, but not the breadth. As customer needs grow, additional complex functionalities like IP telephony or advanced routing and application optimization features are added via loosely coupled third-party integration. While this model endeavors to provide some degree of depth and breadth, it becomes unnecessarily complex as the network scales because of multi-vendor interoperability and multi-box manageability issues. Performance also becomes an area of concern.
3.1.3 Intelligently Coupled Model
This model advocates a platform purpose-built for flexible services integration and with the capability to evolve as new services and applications emerge. The biggest difference is in the architecture, which is optimized for concurrently delivering tightly coupled services at wirespeed through dynamic virtual service contexts on a single system. In its most rudimentary form, they take advantage of the same operating system, memory, and processor. They are fine-tuned to utilize the services chain construct and intelligently deliver on secure collaborative applications.
Minor compromises in performance and sometimes even functionality are acceptable as compared to standalone "best-of-breed" devices because the benefits overwhelmingly outweigh any potential disadvantages. Even these perceived disadvantages are negated as the current generations of integrated services devices utilize embedded processors and hard drives for application performance and scalability. Furthermore, since the various services form part of one device, the manageability, training, support, and software loads are vastly simplified.
Figure 4. Conceptual Comparison of Service Delivery Models
Figure 4 conceptually compares the typical behavior exhibited by the three models described previously.
A system that is intelligently coupled can provide greater scalability (and performance) with concurrent services, as compared to an overlay system or a loosely coupled one. Over time, the return on investment is much higher with an intelligently coupled system because of lower operational costs and a far lower TCO. Manageability, listed as the highest priority for an integrated services router, is also vastly superior with a single system. While the overlay model causes a huge strain on resources because of multiple configuration, provisioning, and troubleshooting requirements, the loosely coupled system begins to experience the same issues when third-party add-ons are used to offset deficiencies in core services. Point "C" represents this inflection point with loosely coupled systems when management becomes a multi-box solution, primarily due to integration of 3rd party capabilities to supplement the capabilities of the base platform
Cisco advocates and delivers on the intelligently coupled model with an advanced architecture through its Integrated Services Router portfolio. Now in their third generation and backed by over 20 years of experience embedded in the Cisco IOS® Software, this is a mature approach that offers the greatest value to customers.
4.0 Introducing the Cisco Integrated Services Router
The Cisco Integrated Services Router portfolio is a family of products that allows Cisco customers to "right-size" their network for a given deployment, while providing the opportunity to future-proof and scale the network evolution based on advanced services, platform density, roadmap, cost, and performance.
With multiple product offerings to meet the varied growth requirements, the Cisco Integrated Services Router offers choice, flexibility and functionality to aid customized network deployment. Cisco IOS Software is the "binding glue" that transcends across different platforms and offers consistency of user experience. Available in fixed-slot and modular configurations, this high-performance architecture is designed and optimized for concurrent service deployment without undue degradation and offers increased default and maximum memory configurations to accommodate future growth (Figure 5).
Figure 5. The Cisco Integrated Services Router Portfolio
While the Cisco 800 and 1800 Series Routers are primarily meant for SMBs and teleworker deployments, the modular Cisco 1841, 2800, and 3800 Series Routers offer a variety of LAN and WAN interface modules that provide unmatched flexibility for a variety of media types and access protocols. These modules are field-upgradeable, allowing customers to easily change a network interface without impacting the entire branch-office network.
4.1 Add-on Modules and Embedded Processors for Enhanced Performance
The greatest benefits for integrated services are perceived with the higher-end modular routers. For instance, with the optional integration of numerous services modules, the Cisco 3800 Series offers the ability to easily integrate the functions of standalone network appliances and components into the chassis itself. Many of these modules, such as the Cisco Network Analysis Module (NM-NAM), Cisco Unity Express Enhanced Capacity Network Module for Voice Mail and AA 16 ports (NM-CUE-EC), Cisco Intrusion Prevention System Network Module (NM-CIDS-K9) and Cisco Content Engine Network Module (NM-CE-BP-80G-K9), to name a few, have embedded processors and hard drives that allow them to run largely independently of the router, while allowing management from a single management interface. This powerful concept of a "platform within a platform" greatly expands the potential applications of the Cisco 3800 Series beyond traditional routing while maintaining the benefits of integration.
Independent external verifications have consistently provided proof points for the performance and scalability of the Cisco Integrated Services Router architecture running concurrent services.
For example, a December 2006 independent test by Miercom3 evaluated the Cisco 3845 integrated services router in multiple areas including integrated Layer 2 switching, VPNs, security services and voice capabilities, amongst others. The Cisco 3845 router ran Cisco IOS™ Software version 12.4(9)T1 in the test bed. In the performance test, Miercom verified that, while running a rich set of concurrent services, the Cisco 3845 deployed in the branch office could sustain a high level of bi-directional traffic to the Headquarters site. This included feature-testing, performance testing as well as failover scenarios as applicable to the branch office.
Figure 6. Actual test bed set up by Miercom to independently test performance of concurrent services on the Cisco 3845 integrated services router
5.0 Raising the Bar with Integrated Services and Solutions
High-performance, scalable integrated services and solutions are delivered on the Cisco Integrated Services Router via a flexible framework of services building blocks. The entire framework revolves around providing easier manageability independent of the solution being delivered and also on enforcing the three pillars of performance, availability and scalability that are so important to growing businesses needing to be "always on."
Figure 7 depicts a conceptual services framework geared to deliver solutions for voice, video, and data, as well as those related to emerging technologies like Wide Area Application Services or even Cisco TelePresence. This should not be construed as a layered model, but rather a modular one, where different building blocks can be mixed and matched to deliver the best possible solution.
"Our most recent independent tests (Dec 2006) showed the Cisco 3845 could sustain over 50 Mbps of concurrent voice, video, wireless and data routing services over a Gigabit Ethernet link and the 3845 processor still had capacity to spare. The AIM crypto-module handled 256-bit AES encryption, IPSec links and clientless SSL VPN connections. The integrated EtherSwitch Service module was able to route near line-rate traffic between 2 switch ports without impacting the 3845's processor performance. Additionally, with our performance load running, we were able to exercise a full suite of telephony functions including PSTN calls, secure voice calls, conferencing, auto-attendant, a variety of voice mail features and fax."
-Rob Smithers, President/CEO, Mier Communications Inc.
The Cisco Integrated Services Routers support more than 100 different modules for the widest array of deployment options, with new modules being continually introduced. The elegance of the framework ensures that each of the optional dedicated modules for advanced functionalities can function with no reliance on other network modules or WAN interface cards (WICs), but seamlessly integrate with Cisco IOS Software to provide an integrated solution. The Cisco Integrated Services Router further provides the flexibility to implement many services via Cisco IOS Software or with added hardware acceleration.
Figure 7. Modular Services Framework on the Cisco Integrated Services
The following sections will highlight some of the key services that can be delivered with the Cisco Integrated Services Router.
5.1 Routing
The Cisco Integrated Services Router supports the industry's most comprehensive suite of routing protocols leveraging the Cisco IOS Software stack. These include Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP), and Optimized Edge Routing (OER). Support for both IPv4 and IPv6 capabilities are provided to perform scalable routing.
The Cisco Integrated Services Router also supports Multi-protocol Label Switching (MPLS) Label Edge Routing and customer edge functionality: Layer 3 VPNs, Layer 2 Any Transport over Multi-protocol Label Switching (AToM) pseudowires, and Multi Virtual Route Forwarding (Multi-VRF).
In addition to routing normal IP traffic, the Cisco Integrated Services Router also provides support for legacy non-IP protocols via Circuit Emulation. Supported via Network modules offering Circuit Emulation this imitates a protocol-agnostic physical communications link across a packet-based IP network.
Figure 8. Circuit Emulation over IP
Circuit emulation offers a huge advantage for large corporations consolidating their legacy networks over IP. It is also ideal for TDM and leased line replacements in a phased manner.
5.2 Integrated Switching
The Cisco Integrated Services Router supports integrated switching on the Cisco 2800 and 3800 Series using the Cisco EtherSwitch® Service Modules. These innovative solutions reduce total cost of ownership by optionally integrating switch ports within a router-offering both routing and switching on a single platform and providing fewer points of management for the branch.
Other key features include:
• Support for new features such as IEEE 802.3af Power over Ethernet (PoE)
• Local, robust Layer 3 flexible WAN routing with wirespeed full-duplex Layer 2 switching
• Support from IEEE 802.1p, 802.1Q, 802.1D spanning tree
• Voice Virtual LAN (VLAN) Feature for IP Phones
• Auto-sensing on each port, QoS and scalable VLANs
• Cisco Network Assistant and Cisco Emergency Responder
• Cisco StackWise® interfaces (available on select Network modules)
• Software feature parity with highly advanced Cisco Catalyst® 3750 Series Switches
A unique architectural design ensures that the Cisco EtherSwitch Module runs an independent Cisco IOS Software image providing feature parity with the Cisco Catalyst 3750 Series Switches that ensures that voice calls and data connections can stay up through the switch even when the Cisco IOS Software on the router is being reloaded (including during a Warm reload).
5.3 Virtual Private Networks (VPNs)
The Cisco Integrated Services Routers offer a variety of VPN offerings for both site-to-site and remote-access deployments that are among the broadest and most secure in the industry. The site-to-site VPN offerings include a strong suite of IPsec-based VPNs and MPLS-based VPNs, the former being more predominant in the branch routers. Remote-Access VPNs include those based on IPsec, as well as Secure Sockets Layer (SSL) with complementary capabilities. Figure 9 illustrates the categorization of different offerings.
A new IPsec and SSL acceleration Advanced Integration Module (AIM) has been introduced for the modular Cisco Integrated Services Routers that encrypts both SSL and IPSec. It accelerates IPsec and is ideal for Group Encrypted Transport (GET) VPN and Dynamic Multipoint VPN (DMVPN). This AIM also doubles the SSL VPN throughput and number of sessions compared to previous modules.
5.3.1 Site-to-Site VPNs
• Dynamic Multipoint VPN (DMVPN)-DMVPNs is a popular IPsec-based Cisco IOS Software solution that supports hub-and-spoke IPsec + GRE VPN deployments by building secure meshed tunnels. It relies on two proven Cisco technologies, viz., the Next Hop Resolution Protocol (NHRP) and Multipoint Generic Routing Encapsulation (GRE) tunnel interface. The simplicity of configuration with DMVPN has ensured its successful deployment in hundreds of customer locations worldwide.
DMVPN supports scalable hub-spoke and spoke-spoke communication with dynamic routing utilizing GRE. Recent enhancements have included the improved resiliency to hub failures, reduced latency during call setup for spoke-to-spoke tunnels and provision for hierarchical hub design.
• Tunnel-less VPNs using Group Encrypted Transport (GET)-Newly launched and an industry first from Cisco, Tunnel-less VPNs offer an exciting ground-breaking paradigm shift by leveraging the benefits of standards-based IPsec with intelligent dynamic QoS-based routing to provide secure any-to-any communication without overlay tunnels. Group Encrypted Transport advocates the concept of "trusted groups" and uses a RFC 3547 Group Domain of Interpretation (GDOI) protocol-based key server to establish security associations among authorized group members.
Group Encrypted Transport uses the existing routing infrastructure while encrypting packets using IPsec. However, unlike traditional Tunnel-mode IPsec encryption, which introduces a new outer-IP header with ESP, the GET VPN security model transposes and attaches the original IP header with ESP, thereby preserving the Layer 3 routing (and inherited QoS) information.
Dispelling the notion of static mesh and overlay tunnels, this simple but elegant concept ensures:
– Optimized routing over the WAN infrastructure (including traffic-engineering routing over MPLS backbones), especially suited to deliver secure latency-sensitive traffic
– Higher scalability
– Better multicast replication
– Better manageability, especially for large-scale deployments requiring centralized management
– Secure policy assignment and enforcement, including addressing needs of lawful intercept and mirroring
– Compliance to regulatory requirements (e.g., HIPAA, PCI) necessitating encrypted traffic independent of WAN connectivity
Figure 10. Fundamental Principles of Tunnel-less VPNs with Group Encrypted Transport
• Voice and Video enabled VPN (V3PN)-Since managing separate voice, video, and data networks is costly and inefficient, the Cisco Integrated Services Router has voice- and video- enabled VPN (V3PN) solutions. These integrate cost-effective, secure connectivity provided by site-to-site IPsec VPNs with the IPsec tunnel built over a GRE interface. The network infrastructure enables toll-quality voice and jitter-free video with QoS policies. V3PN also provides bandwidth conservation and LAN and WAN security with encryption, as well as SLA and Multicast support.
• Easy VPN Server-Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and teleworkers. Based on the Cisco Unified Client VPN Framework, the Cisco Easy VPN solution centralizes VPN management across all Cisco VPN devices, reducing the management complexity of VPN deployments. Cisco Easy VPN consists of two components: Cisco Easy VPN Remote and Cisco Easy VPN Server. The Cisco Easy VPN Remote feature allows Cisco IOS Software routers, Cisco PIX® Security Appliances, Cisco VPN 3002 Hardware Clients, and the Cisco VPN Client to receive security policies upon a VPN tunnel connection from a Cisco Easy VPN Server, minimizing configuration requirements at the remote location.
The Easy VPN server allows the Integrated Services Router to act as a headend for site-to-site or remote-access VPNs where the remote-office devices are using the Cisco Easy VPN Remote feature. This feature pushes security policies defined at the central site to the remote VPN device, helping to ensure that those connections have up-to-date policies in place before the connection is established. Additionally, a device enabled with the Cisco Easy VPN Server can terminate VPN tunnels initiated by mobile remote workers running the Cisco VPN Client software on PCs. This flexibility allows mobile and remote workers to access critical data and applications on their corporate intranet.
5.3.2 Remote-Access VPNs
Cisco Integrated Services Routers support both the IPsec and SSL VPN flavors for remote access.
• Easy VPN Remote-Easy VPN Remote functionality allows the Cisco Integrated Services Routers and other appliances supporting this capability to connect remote offices. It connects to the Easy VPN Server over a VPN tunnel connection and receives security policies, minimizing configuration requirements at the remote location.
• Cisco VPN Client-These IPsec thin clients run on desktops and notebooks and terminate on the Cisco Integrated Services Routers, allowing mobile and teleworkers access to corporate infrastructure. The Cisco VPN Clients are supported on a variety of Windows, MAC-OS, Linux, and Solaris operating systems.
• Cisco IOS SSL VPN-Formerly known as Cisco IOS WebVPN, this capability allows for secure remote access through standard browsers supporting native SSL encryption. Cisco IOS SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they are establishing the connection. If application access requirements are modest, the SSL VPN does not require a VPN client to be preinstalled on the endpoint host.
IPSec and SSL-based VPN offerings are complementary as they solve different problems (see Figure 11). They can coexist on the same platform, allowing the Cisco Integrated Services Routers to service different remote-access user requirements.
Figure 11. Solution Space for IPsec and SSL-based Remote-Access VPNs
5.4 High-Touch Security Services
In addition to secure site-to-site and remote-access VPNs, the Cisco Integrated Services Router is a key part of the Cisco Self-Defending Network (SDN) security strategy, and its comprehensive services enable a single, resilient platform to rapidly deploy and secure networks and applications. All entry points to the network are protected by best-in-class security functions at multiple layers that are streamlined to lower training and manageability costs, providing Adaptive Threat Defense (ATD). Prominent threat defense features include:
• Stateful Firewall-The Cisco IOS Firewall is an ICSA-certified virtual stateful firewall feature set that helps businesses guarantee network uptime and security by protecting customer networks against network and application layer attacks, viruses, and worms as well as providing effective control on application traffic flowing through the network. Cisco IOS Firewall configuration is supported by an intuitive GUI-based device management application called the Cisco Router and Security Device Manager (SDM), which is provided free of charge as part of all Cisco IOS Software security images. Cisco IOS Firewall configuration is also supported by Cisco Security Manager for larger deployments. Centralized monitoring across distributed firewalls and other security devices is available through Cisco Security Monitoring, Analysis and Response System (MARS).
Key Firewall capabilities include:
– Zone-based policy framework for intuitive policy management
– Application Firewalling for web, email and other traffic
– Instant Messenger and Peer-to-Peer application filtering
– VoIP protocol Firewalling
– Bandwidth usage protection via integration with world-class Cisco IOS QoS
– Virtualized/VRF Firewalling
– Wireless integration
– Stateful Failover
– Intuitive Device Management using Cisco SDM or Cisco Security Manager
– Firewall Monitoring using Cisco Security MARS, SNMP MIB and Cisco SDM
– Local URL whitelist/blacklist support
• Intrusion Prevention System (IPS)-The Cisco Integrated Services Router supports dynamic inline intrusion prevention via a dedicated Network module or via Cisco IOS Software. It has a comprehensive signature database and can dynamically load custom signatures. The IDS Network module stores the signature database locally and captures/logs all events. It can send alarms, drop packets and reset connections.
• Trust and Identity-The Cisco Integrated Services Router offers a flexible Authentication, Authorization, and Accounting (AAA) mechanism including support for, the Public Key Infrastructure (PKI) and 802.1.x
• Cisco Network Admission Control (NAC)-Cisco NAC enforces a comprehensive admissions policy across all access methods. It assesses all endpoints, including LAN, wireless connectivity, remote access and WAN and prevents noncompliant and rogue endpoints from accessing or affecting the network. It proactively protects against worms, viruses, spyware, and malware. Cisco NAC helps leverage existing endpoint and anti-virus investments (with multi-vendor support) and helps reduce operational costs associated with unplanned outage downtime.
• DDoS mitigation-A multi-pronged strategy helps thwart the threat of Distributed Denial of service (DDoS) attacks.
• URL Filtering-The Cisco IOS URL Filtering solution monitors and regulates all web activities by blocking specific websites or restricting access to certain websites. Cisco IOS URL Filtering is a simple and easy-to-deploy solution. It is scalable, stable, and fully integrated with Cisco IOS Software. It works seamlessly with third-party web-filtering servers such as Websense, N2H2, and SmartFilter. With simplified configuration and URL management using Cisco SDM (see the section "Cisco Router and Security Device Manager (SDM)" later in this paper), this capability is easy to use.
When combined with other security features such as Network Address Translation (NAT) and VPNs, as well as other Cisco IOS Software features such as Layer 2 Tunneling Protocol (L2TP) and QoS, the Cisco Integrated Services Router provides a secured branch-office environment with branch and perimeter security solutions.
Many of these security services also adhere to stringent industry certification standards. The VPN and firewall capabilities are constantly tested and conform to FIPS 140-2, ICSA and Common Criteria EAL-4 certifications.
5.4.1 Network Foundation Protection (NFP)
How does one secure a device that is intended to offer security services, and ensure that the device is not overwhelmed by Denial-of-Service (DoS) attacks, or by actions originating from unlawful access? Cisco IOS Software offers powerful security features that ensure continual operation for the Cisco Integrated Services Router.
• Control-Plane Policing-To block DoS attacks and similar threats directed toward the heart of the network, Cisco IOS Software includes programmable policing functionality on routers that limits the rates of, or "polices," traffic destined for the control plane. This feature can be configured to identify and limit certain traffic types either completely or when above a specified threshold level.
• AutoSecure-AutoSecure simplifies router security configuration and reduces the risk of configuration errors with customized approaches for experienced and inexperienced administrators. A single command instantly configures the security posture of routers and disables nonessential system processes and services, eliminating potential network security threats.
• Network-Based Application Recognition (NBAR)-This is a classification engine within Cisco IOS Software that uses deep and stateful packet inspection to recognize a wide variety of applications, including web-based and other difficult-to-classify protocols that utilize dynamic TCP/UDP port assignments. NBAR, when used in a security context, can detect worms based on payload signatures. When an application is recognized and classified by NBAR, a network can invoke services for that specific application. NBAR also helps ensure that network bandwidth is used efficiently by working with QoS features to provide guaranteed bandwidth, bandwidth limits, traffic shaping, and packet coloring. Cisco SDM has an easy-to-use wizard to enable NBAR and also provides a graphical view of application traffic.
• CPU/Memory Thresholding-Cisco IOS Software enables users to set global memory thresholds on memory utilization of the router and generate notifications when the thresholds are hit. By reserving CPU and memory, this feature allows the router to stay operational under high loads, such as those created by attacks.
The same concept is extended to secure management with the support for Secure Shell v2 (SSHv2) Protocol and SNMPv3. To minimize security breaches, the Cisco Integrated Services Routers also support Role-Based CLI Access, which provides a hierarchical configuration and viewing capability based on administrative privileges and profiles.
5.5 Voice integration
The Cisco Integrated Services Router delivers affordable and robust IP communications in enterprise branch offices and SMB offices. Through the integration of security, voice gateway, call processing, voicemail, automated attendant, conferencing, and trans-coding capabilities, Cisco Integrated Services Router platforms deliver a complete office IP communications solution.
The platform architecture embeds voice functions directly on the router motherboard enabling customers to deploy advanced telephony services by installing digital signal processors (DSPs) and advanced integration modules (AIMs) for IP telephony conferencing, voice gateways, Cisco Unity™ Express voice mail and automated attendant in addition to industry-standard security. The advantage with this DSP-based approach is that it frees up the modular slots on the router for other modules or the high-speed WAN interface cards (HWICs). Motherboard packet voice DSP modules (PVDM) modules deliver conferencing, transcoding and voice termination without the need for a network module or AIM. Cisco PVDM2 products installed within the integrated services router provide these services for both voice-over-IP (VoIP) and time-division multiplexed (TDM) traffic.
Figure 12. IP telephony with embedded voice functions inside the Cisco 3845 Integrated Services Router
The IP communications component for the branch-office solution includes the Cisco CallManager Express (CME) as part of the Cisco IOS® Software with Cisco Unity Express and Survivable Remote Site Telephony (SRST) with Cisco CallManager. The Cisco Integrated Services Router supports industry-standard protocols like Media Gateway Control Protocol (MGCP), Session Initiation Protocol (SIP) and H.323 as well as a variety of high-density analog and digital Network modules to connect to standard telephony equipment such as fax machines, PBXs, key systems and telephones. It can handle localized call processing with Cisco CME while Integrated Switching with the Cisco EtherSwitch Service Module can aid with support for IEEE 802.3af in powering IP phones.
Key voice applications and benefits with the Cisco Integrated Services Router include both mature features and recent innovations:
• Operating the routers as toll-bypass gateways by routing traditional private branch exchange (PBX) traffic across a corporation's IP network.
• Survivable Remote Site Telephony (SRST)-This mode helps guarantee call quality and preserves communication locally during network outages, promoting higher availability. This complements other availability features like Cisco CME auto-registration and Cisco CME DSP-based conferencing. Here voice mail and automated attendant services can be delivered directly inside the Cisco integrated services router using Cisco Unity Express or delivered centrally using Cisco Unity software. Customers can also implement Secure SRST to enable authentication and encryption support for both signaling and media transmission during a WAN outage
• Enhanced security
– Secure SIP gateways-for encryption and fraud prevention
– Secure SRST for network outages
– Secure CME with media encryption and signaling. This provides security and ensures voice conversations terminating on either TDM or analog gateway voice ports are protected from eavesdropping. This is accomplished via Secure Real-time Protocol (SRTP) and transport layer security (TLS)
• Support for VoiceXML-facilitates advanced IVR and call-center functionality as well as do-not-call registry processing
• Session Border Controller (SBC)-facilitates rich-media communication across networks
• Enhanced SIP trunking-The Cisco Integrated Services Router can provide VoIP and other real-time services based on Session Initiation Protocol (SIP) trunks and integrated SIP capabilities. With the Cisco SIP trunking solution in place, enterprises can quickly and easily implement secure VoIP throughout their organizations. SIP trunking allows provisioning of end-to-end voice, video and data services with the ability for convergence while having easy trunk access and easy management of accounts. From a managed services perspective, this allows for higher quality of service and better customer satisfaction.
• Service consolidation on a single PRI-Integration of voice, video and data connectivity over a single Primary Rate Interface (PRI) link allows optimal use of existing bandwidth
• The new support for Tunnel-less VPNs with Group Encrypted Transport described previously, provides vital security and clarity to IP communications voice and video solutions.
Figure 13. Cisco Integrated Services Router Platforms Used for IP Telephony in Branch Networks
The Cisco Integrated Services Router platforms are ideal platforms for implementing IP Communications in enterprise branch offices and small and medium-sized businesses. Their ability to deliver wire-speed IP Communications are the result of a high-performing processor, specialized voice silicon, innovative analog and BRI interface capabilities, embedded modularity DSPs, and advanced telephony services such as Cisco CallManager Express, Cisco Unity Express, conferencing, and transcoding. With room for services growth and scalable options for integrated modularity, Cisco Integrated Services Router platforms are the platforms for IP Communications that protect future investments.
5.6 Video
Based on the same powerful support for QoS, Multicast, security, and bandwidth enhancement, Cisco also provides video conferencing capability to the branch. The Cisco Unified MeetingPlace® conferencing solution is a complete multimedia conferencing solution with voice, video, and web conferencing. Offering industry-leading video setup and control capabilities, Cisco Unified MeetingPlace conferencing helps branch managers remain in constant contact with executives at headquarters. Its conferencing capabilities support a range of applications, from highly collaborative meetings to training sessions and presentations.
• Cisco Unified MeetingPlace conferencing is deployed "on network" behind the firewall to protect company security, and it integrates directly with the voice and data network and enterprise applications on the Cisco Integrated Services Router. It takes advantage of existing voice networks (IP and circuit-switched) to reduce or eliminate transport toll charges and recurring conferencing charges.
• The Cisco IP/TV® solution, a comprehensive streaming solution that delivers TV-quality video programming to desktop PCs or display screens, can be used to provide video content or video on demand. Branch personnel may can access live or recorded events by using a program listing updated whenever events are scheduled or content is added. This capability also allows customer content to be streamed to branch retail stores for promotional or educational purposes, for background music to be played, or for training sessions offered to personnel.
Newer video-related capabilities on the Cisco Integrated Services Router, complement the voice integration features and promote higher availability:
• Video SRST-it preserves video calling during network outages
• High-density video conferencing-this leverages the architectural improvements for voice processing in the integrated services router with the DSP on motherboard, allowing high-density conferencing for CallManager Express (with at least 8 party ad-hoc and 32 party meet-me calls)
5.7 Bandwidth and Application Optimization
As part of its efforts to optimize WAN performance and bring some degree of parity between LAN and WAN access speeds and experiences, Cisco has introduced innovative bandwidth- and application-optimization solutions. These solutions are supported via dedicated network modules on the Cisco Integrated Services Router, and they enhance the overall quality of application experience.
Cisco offers a comprehensive solution framework for this WAN optimization and Application Acceleration. This includes the Cisco Wide Area Application Services (WAAS) solution applicable to organizations considering extracting more performance from their WAN links and incorporating Cisco Wide Area File Services (WAFS) for distributed file services management over the WAN.
5.71 Cisco Wide Area Application Services (WAAS)
Also offered through a dedicated network module, Cisco WAAS Software optimizes TCP-based applications across the WAN by using techniques such as compression, redundancy elimination, transport optimizations, caching, and content distribution.
Unlike other WAN optimization solutions, Cisco WAAS combines application acceleration with WAN optimization and integrates transparently with the network, preserving TCP information to maintain functions such as security, QoS, visibility, and monitoring. Cisco WAAS is easy to deploy and manage, and it integrates with Cisco IOS Software.
5.711 Cisco Wide Area File Services (WAFS)
Available on the Cisco 2800 and 3800 Series Integrated Services Routers through dedicated Cisco Content Engine Network Modules supporting a Cisco Application and Content Networking System (ACNS), Cisco WAFS Software overcomes WAN latency, bandwidth, and packet-loss limitations with advanced protocol optimization technologies, thereby offering remote-office users LAN-like performance when accessing centralized file storage over the WAN.
Cisco WAFS utilizes protocol-specific optimizations such as latency mitigation, object caching, metadata caching, and WAN transport optimizations to help ensure efficient operation of standard file-system protocols over the WAN while maintaining file coherency, locking, security, and access policies to ensure data integrity. The solution does not require installation of software on client workstations, file servers, or NAS devices. Fully transparent to the end user, Cisco WAFS integrates transparently into the existing network and file storage infrastructure.
Figure 14. Generic Framework for WAN and Application Optimization
5.72 Benefits of the Cisco WAAS Solution
Useful both for branches that want to optimize their network WAN bandwidth and consolidate their file servers and storage in centralized datacenters, as well as for service providers who want to add value to their bandwidth leasing, the Cisco WAFS and Cisco WAAS solutions provide significant overall benefits including:
• Lower TCO-Helps consolidate network, storage and file servers centrally
• Enhanced data protection-Easier backup, restore, disaster recovery ensures business continuity
• Faster file access and sharing-Protocol-specific optimizations enhance performance and productivity
• Latency, bandwidth and throughput improvements-Along with transparent network integration allows Cisco WAAS to take advantage of traffic classification, QoS, policy-based routing, high availability, load balancing, and other network policies
In turn, this permits network administrators to use freed bandwidth to roll out new applications such as voice and other advanced capabilities. They can additionally centralize remote resources to meet regulatory guidelines by consolidating branch servers, storage, and backup systems without impacting users. Cisco WAAS also improves the end-user experience by reducing latency, helping make workers more productive. Since Cisco WAAS is an integrated services solution, it is deployed with zero additional footprint and adds no new appliances or recurring WAN costs. Service behavior is preserved through network transparency.
With Cisco WAAS integrated with Cisco IOS Software, IT administrators achieve faster applications, reduced WAN expenses, and a consolidated branch through WAN optimization, application acceleration, and wide area file services. Administrators benefit from a more easily managed WAN through better monitoring and provisioning, via NetFlow v9, better performance, visibility monitoring, and IP SLAs. They are also able to better preserve network services and protect their investment with dynamic auto-discovery and network transparency. Based on additional bandwidth, applications meet their goals through better QoS and call control using advanced queuing, shaping, and policing.
5.8 Wireless Applications
The Cisco Integrated Services Router enables deployment of secure, manageable wireless LANs, optimized for remote sites and branch offices, including fast secure mobility, survivable authentication, and simplified management.
Providing a framework for a Unified Wireless Architecture, the Cisco Integrated Services Router offers compelling capabilities on the router platform
• The Cisco Wireless LAN Controller Module (WLCM) offers additional security with systemwide wireless LAN functions, such as creating and enforcing security policies, intrusion prevention, RF management, quality of service (QoS), and mobility.
• For WLAN Connectivity, integrated 802.11 WLAN access points are supported as an option with the entire portfolio of Cisco Integrated Services Routers.
• Land Mobile Radio (LMR)-over-IP services significantly expand the scope of push-to-talk radio communications to include remote-access and dispatch operations from a variety of communications devices (IP, analog, and cellular phones, etc.) as well as interoperability among disparate radio systems to enhance productivity and collaboration capabilities for radio users.
• Other options include Public WLAN Hotspot-Integrated WLAN access points, access-zone-router (AZR) services, and Service Selection Gateway (SSG) services.
• It also supports enhanced WLAN survivability and mobility services with Cisco Aironet® Access Points located at the branch-survivable IEEE 802.1X local authentication allows up to 1,000 wireless clients into the secure wireless network for the branch or as a backup for headquarters.
• WLAN and wired IP telephony support is provided with Cisco CallManager Express (CME) and Survivable Remote Site Telephony (SRST).
• The Cisco Integrated Services Router also supports customized guest access and Mobile IP Home Agent for transparent mobility.
5.9 Network Management and Instrumentation
One of the most important features in a product is its manageability. This Cisco Integrated Services Router provides a comprehensive management framework to suit all aspects of the management lifecycle both for device-level management and network-level management. In addition an open framework for integration with 3rd-party management tools is also provided.
Cisco management solutions address a broad range of needs and capabilities. These include:
• Integrated tools with streamlined user interfaces to simplify management tasks
• Automation with extended visibility to ease network deployment and hardware migration
• Zero-touch deployment options to further minimize deployment and operational costs
• Provisioning templates, configuration management, and monitoring tools to reduce risks from planed and unplanned network changes
• Robust "network view" of configuration, connection, and security policy compliance
• Active performance monitoring, alerting and isolation of trouble to predict and mitigate outages, while providing the right information for quick trouble identification and resolution
• Advanced analytics providing "what-if" analysis, configuration verification, and failure analysis for network resiliency planning
• Easy-to-use security monitoring and provisioning tools to ensure security compliance
• Additional, comprehensive, end-to-end security tools to enable a self-defending network
• Enable new services through an integrated management framework that combines foundation management and advanced technology management services with the ability to integrate and cross leverage tools for advanced and more detailed data, analysis and control
• Allow customers to add additional management solutions to address prioritized needs without causing disruptions in service or accessibility
5.91 Cisco Router and Security Device Manager (SDM)
The Cisco SDM is an easy-to-use web-based GUI and is meant for single device management. It implements NSA guidelines, ICSA and Cisco TAC recommendations and provides "one-touch" router lockdown. It is factory-loaded, free of cost, and is the industry-leading router and comprehensive security device management tool for VPN, firewall, routing, wireless, LAN/WAN interfaces, and QoS. It can significantly reduce the technical expertise required to configure the Cisco Integrated Services Router and minimize configuration errors.
5.92 The Cisco Network Analysis Module
The Cisco Network Analysis Module (NAM) is an integrated service module, activated in the Cisco Integrated Services Router without impacting its performance, users, or other services. It provides a detailed view of the enterprise WAN fabric, providing detailed traffic analysis of every application on the network. Detailed information is collected, including such data as:
• Global visibility into WAN traffic conditions and bandwidth utilization per application, per user
• Time-based trending of bandwidth usage per application
• Volume of data per application
• Top traffic producers and consumers (user/device)
Figure 15. Monitoring with Cisco NAM Traffic Analyzer
The Cisco NAM complements the Cisco WAAS solution on the Cisco Integrated Services Router, providing important predeployment and postdeployment visibility into traffic patterns and trends. Cisco WAAS accelerates traffic without modifying IP headers, ensuring that data collection and analysis are uncompromised. The Cisco NAM then leverages data collected by NetFlow v9, a software solution that provides visibility into WAN traffic issues, to deliver baseline metrics that can be used to measure business impact and monitor ongoing operations, and offers critical insight into the behavior of new hosts and applications that appear on the WAN.
The Cisco NAM is also supported by the Cisco Performance Visibility Manager application, a proactive network- and application-performance monitoring, reporting, and troubleshooting system for maximizing network availability. It offers traffic-analysis capabilities, an application response time monitoring, an intuitive GUI, an automatic baseline module, and comprehensive reporting. The Cisco NAM is an end-to-end solution that is also available on the Cisco Catalyst 6500 switching platform.
5.93 OAM Enhancements to Support Metro Ethernet Access
To enhance the manageability of Ethernet access on the Cisco Integrated Services Router portfolio, standards-based features are implemented for operations, administration, and maintenance (OAM). The following enhancements are available on the Ethernet access ports on the integrated services routers using Cisco IOS Software:
• Metro Ethernet Forum (MEF) 16-Ethernet Local Management Interface (E-LMI) customer edge functionality
Ethernet OAM and Connectivity Fault Management on the Cisco Integrated Services Router provide the following capabilities:
• End-to-end continuity check
• Layer 2 traceroute
• Layer 2 ping (loopback)
6.0 Benefits of a Cisco Integrated Services Router
The benefits of using integrated services on the branch router are manifold both for the device owner who owns and manages the device as well as the end user who experiences services off the integrated services router.
• Lower Operational costs and TCO-Typically the costs for initial purchase are minimal compared to the ongoing operational costs. The industry generally assigns 20% of the total lifetime costs for a system toward CAPEX and the remaining 80% toward OPEX and unscheduled blackouts.
Figure 16. Comparing TCO of a Cisco Integrated Services Router with Overlay Appliances
An internal Cisco commissioned study to find out the TCO savings for the Cisco Integrated Services Router as opposed to a set of comparable overlay appliances (for a similar functional solution deliverable) estimated direct and indirect cost savings in the range of 40-70% per year considering operational costs alone.
